[I] Authorization Bypass via Exception Handling (tooling-trusted-releases)

Tue, 24 Feb 2026 19:53:06 -0800 


andrewmusselman opened a new issue, #759:
URL: https://github.com/apache/tooling-trusted-releases/issues/759

   
   | Attribute | Value |
   |-----------|-------|
   | **Severity** | Medium |
   | **Location** | `atr/util.py:446-463` |
   | **CWE** | CWE-755 (Improper Handling of Exceptional Conditions) |
   
   **Description:**
   The `is_user_viewing_as_admin()` function defaults to returning `True` 
(granting admin view privileges) when session reading fails due to missing 
`app_id` or any exception.
   
   **Vulnerable Code:**
   ```python
   def is_user_viewing_as_admin(uid: str | None) -> bool:
       if not user.is_admin(uid):
           return False
       try:
           app = asfquart.APP
           if (not hasattr(app, "app_id")) or (not isinstance(app.app_id, str)):
               log.error("Cannot get valid app_id to read session for admin 
view check")
               return True  # VULNERABLE: Defaults to admin on error
           cookie_id = app.app_id
           session_dict = quart.session.get(cookie_id, {})
           is_downgraded = session_dict.get("downgrade_admin_to_user", False)
           return not is_downgraded
       except Exception:
           log.exception(f"Error checking admin downgrade session status for 
{uid}")
           return True  # VULNERABLE: Defaults to admin on exception
   ```
   
   **Impact:** If an attacker can cause session reading to fail (e.g., 
corrupted session state, race condition), they may gain elevated admin view 
privileges after passing the initial `is_admin()` check.
   
   **Recommendation:**
   ```python
   def is_user_viewing_as_admin(uid: str | None) -> bool:
       if not user.is_admin(uid):
           return False
       try:
           app = asfquart.APP
           if (not hasattr(app, "app_id")) or (not isinstance(app.app_id, str)):
               log.error("Cannot get valid app_id to read session for admin 
view check")
               return False  # Fail secure: deny admin view on error
           # ... rest of function
       except Exception:
           log.exception(f"Error checking admin downgrade session status for 
{uid}")
           return False  # Fail secure: deny admin view on exception
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to